cbcvebase.
CVE-2013-3482
published 2014-01-19

CVE-2013-3482: Stack-based buffer overflow in the rf_report_error function in ermapper_u.dll in Intergraph ERDAS ER Viewer before 13.0.1.1301 allows remote attackers to…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.51%
98.1th percentile
Stack-based buffer overflow in the rf_report_error function in ermapper_u.dll in Intergraph ERDAS ER Viewer before 13.0.1.1301 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long string in an ERS file.

Affected

3 ranges
VendorProductVersion rangeFixed in
hexagonerdas_er_viewer<= 13.0.1.1298
hexagonerdas_er_viewer
hexagonerdas_er_viewer

Detection & IOCsextracted from sources · hover to see the quote

filenameermapper_u.dll
filenamemsf.ers
bytes
DatasetHeader Begin ... End
  • Look for malicious .ERS files containing a 'DatasetHeader Begin...End' block with an oversized string (>191 bytes) in the header field, which triggers the stack-based buffer overflow in rf_report_error.
  • The exploit buffer offset to EIP overwrite is 191 bytes; monitor for ERS files where the DatasetHeader content exceeds this length.
  • Detect the egghunter tag string 'w00t' within .ERS file content, which is a marker used by the Metasploit exploit payload.
  • Monitor for the ROP gadget address 0x100E1152 (xchg eax, esp # ret from ermapper_u.dll) appearing in memory or file content, indicating DEP/ASLR bypass exploitation of this CVE.
  • The exploit uses ethrlib.dll ROP gadgets (e.g., 0x30d059d9 INC EBX # RETN); presence of ethrlib.dll loaded in the ERS Viewer process alongside ermapper_u.dll is expected in exploitation.
  • ·The ROP gadget addresses and offsets are specific to ERS Viewer 2013 version 13.0.0.1151 only; they will not apply to other versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.